[Date Prev][Date Next] [Chronological] [Thread] [Top]

Updating TLS options in client



Hi.

I have a daemon which is a LDAP client, using OpenLDAP (V2.0.23).

My daemon looks like:

while(still_alive){
	wait_activity();
	do_some_stuff();
	if (need_ldap_request){
		load_ldapconf(ldapconf);
		make_ldap_requests(ldapconf);
		free_ldapconf(ldapconf);
	}
	do_other_stuff();
}

LDAP conf may require SSL connection to the server, and LDAP conf may
be modified while daemon is running.

In most cases, all works well, but some TLS_OPT options won't be
updated if tls_def_ctx is not NULL (in libraries/libldap/tls.c), and
those options can only be set for default context.

So if I set up some TLS options then make a LDAP request, the only way
to change TLS options again is to kill my daemon and start it
again.... and I just can't do that !!!


So I made a small patch to OpenLDAP 2.0.23 (should also commit in
REL_2_1 and HEAD, but not tested).


This patch resets tls_def_ctx each time a tls_set_option modifies a
value used by tls_def_ctx, which forces reinitialisation of tls_def_ctx
for next connection.


I also have to modify ldap_set_option to allow all LDAP_OPT_X_TLS
options to make a call to tls_set_option, even if invalue is NULL.

Note that this check is quite bad (I just check if option is greater
than LDAP_OPT_X_TLS), but I didn't found a better way to make it.



My patch also adds a mutex_lock at the beginning of
ldap_pvt_tls_destroy, and something which looks like a memory leak for
me in tls_set_option, when giving a new tls_def_ctx.


My daemon actually works with a patched version of OpenLDAP 2.0.23
libraries, but I would like to have a confirmation from devel team.



Regards,

VANHULLEBUS Yvan.
*** libraries/libldap/options.c.orig	Fri Jun  7 16:13:14 2002
--- libraries/libldap/options.c	Fri Jun  7 16:13:18 2002
***************
*** 425,433 ****
  			lo->ldo_rebindproc = (LDAP_REBIND_PROC *)invalue;		
  		} return LDAP_OPT_SUCCESS;
  	}
  
! 	if(invalue == NULL) {
  		/* no place to set from */
  		return LDAP_OPT_ERROR;
  	}
  
--- 425,433 ----
  			lo->ldo_rebindproc = (LDAP_REBIND_PROC *)invalue;
  		} return LDAP_OPT_SUCCESS;
  	}
  
! 	if(invalue == NULL && option < LDAP_OPT_X_TLS) {
  		/* no place to set from */
  		return LDAP_OPT_ERROR;
  	}
  
*** libraries/libldap/tls.c.orig	Fri Jun  7 16:12:57 2002
--- libraries/libldap/tls.c	Fri Jun  7 16:13:06 2002
***************
*** 103,112 ****
--- 103,118 ----
   */
  void
  ldap_pvt_tls_destroy( void )
  {
+ #ifdef LDAP_R_COMPILE
+ 	ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
+ #endif
  	SSL_CTX_free(tls_def_ctx);
  	tls_def_ctx = NULL;
+ #ifdef LDAP_R_COMPILE
+ 	ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
+ #endif
  
  	EVP_cleanup();
  	ERR_free_strings();
  
***************
*** 1039,1049 ****
  		return -1;
  
  	case LDAP_OPT_X_TLS_CTX:
  		if ( ld == NULL ) {
  			tls_def_ctx = (SSL_CTX *) arg;
! 
  		} else {
  			ld->ld_defconn->lconn_tls_ctx = arg;
  		}
  		return 0;
  	}
--- 1045,1063 ----
  		return -1;
  
  	case LDAP_OPT_X_TLS_CTX:
  		if ( ld == NULL ) {
+ #ifdef LDAP_R_COMPILE
+ 			ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
+ #endif
+ 			if (tls_def_ctx) SSL_CTX_free(tls_def_ctx);
  			tls_def_ctx = (SSL_CTX *) arg;
! #ifdef LDAP_R_COMPILE
! 	ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex );
! #endif
  		} else {
+ 			if(ld->ld_defconn->lconn_tls_ctx)
+ 				SSL_CTX_free(ld->ld_defconn->lconn_tls_ctx);
  			ld->ld_defconn->lconn_tls_ctx = arg;
  		}
  		return 0;
  	}
***************
*** 1082,1089 ****
--- 1096,1112 ----
  		break;
  	default:
  		return -1;
  	}
+ #ifdef LDAP_R_COMPILE
+ 	ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
+ #endif
+ 	SSL_CTX_free(tls_def_ctx);
+ 	tls_def_ctx = NULL;
+ #ifdef LDAP_R_COMPILE
+ 	ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex );
+ #endif
+ 
  	return 0;
  }
  
  int